LoFP / allowed administrative activities.

Techniques

• t1020
• t1078
• t1078.004
• t1537
• t1562
• t1562.001

Sample rules

Github Fork Private Repositories Setting Enabled/Cleared

• source: sigma
• technicques:
  • t1020
  • t1537

Description

Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).

Detection logic

condition: selection
selection:
  action:
  - private_repository_forking.clear
  - private_repository_forking.enable

Github SSH Certificate Configuration Changed

• source: sigma
• technicques:
  • t1078
  • t1078.004

Description

Detects when changes are made to the SSH certificate configuration of the organization.

Detection logic

condition: selection
selection:
  action:
  - ssh_certificate_authority.create
  - ssh_certificate_requirement.disable

Github Push Protection Disabled

• source: sigma
• technicques:
  • t1562
  • t1562.001

Description

Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.

Detection logic

condition: selection
selection:
  action:
  - business_secret_scanning_custom_pattern_push_protection.disabled
  - business_secret_scanning_push_protection.disable
  - business_secret_scanning_push_protection.disabled_for_new_repos
  - org.secret_scanning_custom_pattern_push_protection_disabled
  - org.secret_scanning_push_protection_disable
  - org.secret_scanning_push_protection_new_repos_disable
  - repository_secret_scanning_custom_pattern_push_protection.disabled

Github Secret Scanning Feature Disabled

• source: sigma
• technicques:
  • t1562
  • t1562.001

Description

Detects if the secret scanning feature is disabled for an enterprise or repository.

Detection logic

condition: selection
selection:
  action:
  - business_secret_scanning.disable
  - business_secret_scanning.disabled_for_new_repos
  - repository_secret_scanning.disable
  - secret_scanning_new_repos.disable
  - secret_scanning.disable

Github Repository/Organization Transferred

• source: sigma
• technicques:
  • t1020
  • t1537

Description

Detects when a repository or an organization is being transferred to another location.

Detection logic

condition: selection
selection:
  action:
  - migration.create
  - org.transfer_outgoing
  - org.transfer
  - repo.transfer_outgoing

Github Push Protection Bypass Detected

• source: sigma
• technicques:
  • t1562
  • t1562.001

Description

Detects when a user bypasses the push protection on a secret detected by secret scanning.

Detection logic

condition: selection
selection:
  action|contains: secret_scanning_push_protection.bypass